On Mon, Jan 20, 2014, no_spam...@yahoo.com wrote:
>
> Can you give me any information with regards to how the exploitation of
> CVE-2013-6450 against 0.9.8y may manifest itself? If not a DoS, could it
> cause a process using libssl to core, cause libssl to return an "okay" when
> it should retur
sensitive information, etc.?
Thanks.
- Original Message -
> Sent: Thursday, January 16, 2014 1:51 PM
> Subject: Re: CVE-2013-6450 and 0.9.8-line
>
> Oh, okay. Thank you for that tidbit.
>
> If not a DoS, how does the issue manifest itself in 0.9.8 if an adversary
>
014 12:22 PM
> Subject: Re: CVE-2013-6450 and 0.9.8-line
>
> On Thu, Jan 16, 2014, no_spam...@yahoo.com wrote:
>
>
>> It is my understanding that 0.9.8y contains the DTLS retransmission flaw
>> described in CVE-2013-6450.
>>
>
> It contains the flaw
On Thu, Jan 16, 2014, no_spam...@yahoo.com wrote:
> It is my understanding that 0.9.8y contains the DTLS retransmission flaw
> described in CVE-2013-6450.
>
It contains the flaw but it is not a DoS issue in 0.9.8.
It's not a trivial fix for 0.9.8 because the DTLS record handling changed in
1.0.
It is my understanding that 0.9.8y contains the DTLS retransmission flaw
described in CVE-2013-6450.
I thought I read somewhere that OpenSSL.org is working on a 0.9.8za release to
address this issue (and other bug fixes).
Is that correct? If so, what is the release schedule?
Thanks.
